Method for Synchronized Signature with Additive Rsa Key Splitting Using Early Floating Exponent Negotiation

1. A method of secure generation by a client device (A) and a server device (B) of at least a first RSA signature (H(M){circumflex over ( )}d), called current signature, of a first message to be signed (M) and a second RSA signature (H(M′){circumflex over ( )}d), called next signature, of a second message to be signed (M′), with a private exponent component d of an RSA key (p, q, N, d, e), where e is a public exponent component, N is a RSA modulus, p, q primes such N=p·q and e·d=1 modulo phi(N) with phi(N) Euler's function, wherein said client device (A) stores a client device private key equal to (N, dA) with dA representing a client device private exponent component, a current client value (pvA), a next client value (pvA_next) and a current client dynamic offset (hA), and wherein said server device (B) stores a server device private key equal to (N, dB) with dB representing a server device private exponent component, a current server value (pvB), a next server value (pvB_next), where dB=d−dA modulo phi(N), and a current server dynamic offset (hB), said method comprising: a handshake phase performed by the server device (B) comprising: a. receiving from the client device (A) a handshake request comprising a hash of the next client value (pvA_next), b. checking the value of the next client value (pvA_next) and: when the next client value (pvA_next) equals a first default value (DUMMY): generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), when the next client value (pvA_next) is not equal to said first default value (DUMMY): checking the value of the next server value (pvB_next), when the next server value (pvB_next) is equal to a second default value (NULL) and the next client value (pvA_next) equals the current server value (pvB): sending to the client device (A) a fix request asking the client device (A) to update the current client value (pvA) with the value of the stored next client value (pvA_next), generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), when the next server value (pvB_next) is equal to said second default value (NULL) and the next client value (pvA_next) is not equal to the current server value (pvB), suspending performing said method, when the next server value (pvB_next) is not equal to said second default value (NULL): generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), and signing phase performed by the server device (B) after the handshake phase and generating the current signature; said signing phase comprising: a. generating a server part of the current signature (HS 2 ) from the server device private exponent component (dB) and from an updated server dynamic offset (hB′), said updated server dynamic offset (hB′) being function of the current server dynamic offset (hB) and of a server shift value (cB), said server shift value (cB) being function of the current server value (pvB), such that the current signature can be generated by combining said server part of the current signature (HS2) and a client part of the current signature (HS1) generated by the client device (A) from the client device private exponent component (dA) and from an updated client dynamic offset (hA′), said updated client dynamic offset (hA′) being function of the current client dynamic offset (hA) and of a client shift value (cA), said client shift value (cA) being function of the current client value (pvA), b. setting the current server dynamic offset (hB) to the updated server dynamic offset (hB′) value, the current server value (pvB) to the value of the next server value (pvB_next) and the next server value (pvB_next) to said second default value (NULL), the current client dynamic offset (hA) being set to the updated client dynamic offset (hA′) value, the current client value being set to the value of the next client value (pvA_next) and the next client value (pvA_next) being set to said first default value (DUMMY), performing the handshake phase and the signing phase with the next signature as current signature, for generating the next signature.

2. The method of claim 1 , wherein the client device private exponent component dA or the server device private exponent component dB is a random integer in [,phi(B+N)].

3. The method of claim 1 , wherein said client shift value (cA) is generated by a pseudo random number generator from a secret value (seed_offset) pre-shared between the client device (A) and the server device (B) and from the current client value (pvA), and said server shift value (cB) is generated by a pseudo random number generator from said secret value (seed_offset) and from the current server value (pvB).

4. The method of claim 1 , wherein said updated client dynamic offset (hA′) is equal to the sum of the current client dynamic offset (hA) and the client shift value (cA), and wherein said updated server dynamic offset (hB′) is equal to the sum of the current server dynamic offset (hB) and the server shift value (cB).

5. The method of claim 1 , wherein said client part of the current signature (HS1) is generated by the client device (A) using as signing key the sum of the client device private exponent component (dA) and the updated client dynamic offset (hA′).

6. The method of claim 1 , wherein said server part of the current signature (HS2) is generated by the server device (B) using as signing key the result of subtracting the updated server dynamic offset (hB′) from the server device private exponent component (dB).

7. The method of claim 1 , wherein said signing phase comprises: receiving (S 6 ) said client part of the current signature (HS1) from said client device (A), generating (S 7 ) the current signature by combining the received client part of the current signature (HS1) and said server part of the current signature (HS2).

8. The method of claim 7 , wherein said signing phase comprises verifying the generated current signature.

9. The method of claim 1 , wherein said client device (A) stores a client clone counter (counterA) and said server device (B) stores a server clone counter (counterB), and said method comprising: incrementing, by the client device, the client clone counter by one unit, receiving from the client device the incremented client clone counter, checking if the incremented client clone counter is greater than the server clone counter and: if the incremented client clone counter is greater than the server clone counter, updating said server clone counter with the received value of the client clone counter, else, suspending performing said method.

10. The method of claim 1 , wherein the client part of the current signature HS1 of a message to be signed M is equal to H(M) dA+hA′ mod n, the server part of the current signature HS2 of said message to be signed M is equal to H(M) dB−hB′ mod n, and the current signature of said message to be signed M is equal to HS1*HS2 mod n, with H(M) a hashing of said message to be signed M.

11. A computer program product directly stored in the memory of at least one computer, comprising software code instructions for performing by a computer's processor, when said product is run on the computer, to cause the processor to perform secure generation by the server device (B), in collaboration with a client device (A), of at least a first signature (H(M){circumflex over ( )}d), called current signature, of a first message to be signed (M) and a second signature (H(M′){circumflex over ( )}d), called next signature, of a second message to be signed (M′), with a private exponent component d of an RSA key (p, q, N, d, e), where e is a public exponent component, N is a RSA modulus, p, q primes such N=p·q and e·d=1 modulo phi(N) with phi(N) Euler's function, wherein said client device (A) stores a client device private key equal to (N, dA) with dA representing a client device private exponent component, a current client value (pvA), a next client value (pvA_next) and a current client dynamic offset (hA), and wherein said server device (B) stores a server device private key equal to (N, dB) with dB representing a server device private exponent component, a current server value (pvB), a next server value (pvB_next), where dB=d−dA modulo phi(N), and a current server dynamic offset (hB), the instructions causing the processor of the server to perform: a handshake phase, comprising: c. receiving from the client device (A) a handshake request comprising a hash of the next client value (pvA_next), d. checking the value of the next client value (pvA_next) and: when the next client value (pvA_next) equals a first default value (DUMMY): generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), when the next client value (pvA_next) is not equal to said first default value (DUMMY): checking the value of the next server value (pvB_next), when the next server value (pvB_next) is equal to a second default value (NULL) and the next client value (pvA_next) equals the current server value (pvB): sending to the client device (A) a fix request asking the client device (A) to update the current client value (pvA) with the value of the stored next client value (pvA_next), generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), when the next server value (pvB_next) is equal to said second default value (NULL) and the next client value (pvA_next) is not equal to the current server value (pvB), suspending performing said method, when the next server value (pvB_next) is not equal to said second default value (NULL): generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), and a signing phase performed by the server device (B) after the handshake phase and generating the current signature; said signing phase comprising: c. generating a server part of the current signature (HS2) from the server device private exponent component (dB) and from an updated server dynamic offset (hB′), said updated server dynamic offset (hB′) being function of the current server dynamic offset (hB) and of a server shift value (cB), said server shift value (cB) being function of the current server value (pvB), such that the current signature can be generated by combining said server part of the current signature (HS2) and a client part of the current signature (HS1) generated by the client device (A) from the client device private exponent component (dA) and from an updated client dynamic offset (hA′), said updated client dynamic offset (hA′) being function of the current client dynamic offset (hA) and of a client shift value (cA), said client shift value (cA) being function of the current client value (pvA), d. setting the current server dynamic offset (hB) to the updated server dynamic offset (hB′) value, the current server value (pvB) to the value of the next server value (pvB_next) and the next server value (pvB_next) to said second default value (NULL), the current client dynamic offset (hA) being set to the updated client dynamic offset (hA′) value, the current client value being set to the value of the next client value (pvA_next) and the next client value (pvA_next) being set to said first default value (DUMMY), performing the handshake phase and the signing phase with the next signature as current signature, for generating the next signature.

12. Server comprising a processor and an interface, a memory configured to store a server device private key, a current server value (pvB), a next server value (pvB_next), and a current server dynamic offset (hB), the processor programmed to perform secure generation by the server device (B), in collaboration with a client device (A), of at least a first signature (H(M){circumflex over ( )}d), called current signature, of a first message to be signed (M) and a second signature (H(M′){circumflex over ( )}d), called next signature, of a second message to be signed (M′), with a private exponent component d of an RSA key (p, q, N, d, e), where e is a public exponent component, N is a RSA modulus, p, q primes such N=p·q and e·d=1 modulo phi(N) with phi(N) Euler's function, wherein said client device (A) stores a client device private key equal to (N, dA) with dA representing a client device private exponent component, a current client value (pvA), a next client value (pvA_next) and a current client dynamic offset (hA), and wherein said server device (B) stores a server device private key equal to (N, dB) with dB representing a server device private exponent component, a current server value (pvB), a next server value (pvB_next), where dB=d−dA modulo phi(N), and a current server dynamic offset (hB), the instructions causing the processor of the server to perform: a handshake phase, comprising: e. receiving from the client device (A) a handshake request comprising a hash of the next client value (pvA_next), f. checking the value of the next client value (pvA_next) and: when the next client value (pvA_next) equals a first default value (DUMMY): generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), when the next client value (pvA_next) is not equal to said first default value (DUMMY): checking the value of the next server value (pvB_next), when the next server value (pvB_next) is equal to a second default value (NULL) and the next client value (pvA_next) equals the current server value (pvB): sending to the client device (A) a fix request asking the client device (A) to update the current client value (pvA) with the value of the stored next client value (pvA_next), generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), when the next server value (pvB_next) is equal to said second default value (NULL) and the next client value (pvA_next) is not equal to the current server value (pvB), suspending performing said method, when the next server value (pvB_next) is not equal to said second default value (NULL): generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), and a signing phase performed by the server device (B) after the handshake phase and generating the current signature; said signing phase comprising: e. generating a server part of the current signature (HS2) from the server device private exponent component (dB) and from an updated server dynamic offset (hB′), said updated server dynamic offset (hB′) being function of the current server dynamic offset (hB) and of a server shift value (cB), said server shift value (cB) being function of the current server value (pvB), such that the current signature can be generated by combining said server part of the current signature (HS2) and a client part of the current signature (HS1) generated by the client device (A) from the client device private exponent component (dA) and from an updated client dynamic offset (hA′), said updated client dynamic offset (hA′) being function of the current client dynamic offset (hA) and of a client shift value (cA), said client shift value (cA) being function of the current client value (pvA), f. setting the current server dynamic offset (hB) to the updated server dynamic offset (hB′) value, the current server value (pvB) to the value of the next server value (pvB_next) and the next server value (pvB_next) to said second default value (NULL), the current client dynamic offset (hA) being set to the updated client dynamic offset (hA′) value, the current client value being set to the value of the next client value (pvA_next) and the next client value (pvA_next) being set to said first default value (DUMMY), performing the handshake phase and the signing phase with the next signature as current signature, for generating the next signature.

13. A system comprising a server (B) and a client device (A), wherein the server (B) comprises a processor and an interface, a memory configured to store a server device private key, a current server value (pvB), a next server value (pvB_next), and a current server dynamic offset (hB), the processor programmed to perform secure generation by the server device (B), in collaboration with a client device (A), of at least a first RSA signature (H(M){circumflex over ( )}d), called current signature, of a first message to be signed (M) and a second signature (H(M′){circumflex over ( )}d), called next signature, of a second message to be signed (M′), with a private exponent component d of an RSA key (p, q, N, d, e), where e is a public exponent component, N is a RSA modulus, p, q primes such N=p·q and e·d=1 modulo phi(N) with phi(N) Euler's function, wherein said client device (A) stores a client device private key equal to (N, dA) with dA representing a client device private exponent component, a current client value (pvA), a next client value (pvA_next) and a current client dynamic offset (hA), and wherein said server device (B) stores a server device private key equal to (N, dB) with dB representing a server device private exponent component, a current server value (pvB), a next server value (pvB_next), where dB=d−dA modulo phi(N), and a current server dynamic offset (hB), the processor programmed to perform: a handshake phase, comprising: receiving from the client device (A) a handshake request comprising a hash of the next client value (pvA_next), checking the value of the next client value (pvA_next) and: when the next client value (pvA_next) equals a first default value (DUMMY): generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), when the next client value (pvA_next) is not equal to said first default value (DUMMY): checking the value of the next server value (pvB_next), when the next server value (pvB_next) is equal to a second default value (NULL) and the next client value (pvA_next) equals the current server value (pvB): sending to the client device (A) a fix request asking the client device (A) to update the current client value (pvA) with the value of the stored next client value (pvA_next), generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), when the next server value (pvB_next) is equal to said second default value (NULL) and the next client value (pvA_next) is not equal to the current server value (pvB), suspending performing said method, when the next server value (pvB_next) is not equal to said second default value (NULL): generating a new value (x) and updating the next server value (pvB_next) with the generated new value, sending to the client device (A) the generated new value (x), to be used by the client device as next client value (pvA_next), and a signing phase performed by the server device (B) after the handshake phase and generating the current signature; said signing phase comprising: generating a server part of the current signature (HS2) from the server device private exponent component (dB) and from an updated server dynamic offset (hB′), said updated server dynamic offset (hB′) being function of the current server dynamic offset (hB) and of a server shift value (cB), said server shift value (cB) being function of the current server value (pvB), such that the current signature can be generated by combining said server part of the current signature (HS2) and a client part of the current signature (HS1) generated by the client device (A) from the client device private exponent component (dA) and from an updated client dynamic offset (hA′), said updated client dynamic offset (hA′) being function of the current client dynamic offset (hA) and of a client shift value (cA), said client shift value (cA) being function of the current client value (pvA), setting the current server dynamic offset (hB) to the updated server dynamic offset (hB′) value, the current server value (pvB) to the value of the next server value (pvB_next) and the next server value (pvB_next) to said second default value (NULL), the current client dynamic offset (hA) being set to the updated client dynamic offset (hA′) value, the current client value being set to the value of the next client value (pvA_next) and the next client value (pvA_next) being set to said first default value (DUMMY), performing the handshake phase and the signing phase with the next signature as current signature, for generating the next signature.